Landing zone

A landing zone is a well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications. It provides a baseline to get started with multi-account architecture, identity and access management, governance, data security, network design, and logging.

AWS has two options for creating your landing zone: a service-based landing zone using AWS Control Tower and a customized landing zone that you build. Each option requires a different level of AWS knowledge.

AWS created Control Tower to help you save time by automating the setup of a landing zone so you can run secure and scalable workloads. Control Tower is managed by AWS and uses best practices and guidelines to help you create your foundational environment. Control Tower uses integrated services like AWS Service Catalog and AWS Organizations to provision accounts in your landing zone and manage access to those accounts.

Objectives

Create a landing zone with an initial configuration for the following:

• Account structure

• Network structure

• Predefined identity and billing frameworks

• Predefined user-selectable packages

• Ability to customize and configure

Outcomes

• A defined and secure landing zone ready for migration and further customization

How-to guide

• Setting up a secure and scalable multi-account AWS environment

Related resources

• AWS Control Tower

• AWS Service Catalog

• AWS Organizations

• Architecting security & governance across your landing zone